Understanding & Deploying Device Guard

Cyber-attacks commonly occur through applications, browsers, un-patched vulnerabilities, or social-engineering. Deploying Device Guard (a central feature in the suite of Microsoft’s Windows 10 security features) does not eliminate the possibility of being targeted for attacks, but it does significantly reduce the attack surfaces favored by bad actors and malware writers.

What Device Guard does is harden those various attack surfaces by creating a “chain of trust” from the hardware and firmware configuration involved with the boot process, up through the Windows OS kernel and to software running in Windows.

The aim is to ensure all components involved are trusted and have not been compromised or tampered with at any time. This is called defense in-depth security: the endpoint is secured in multiple layers rather than focusing on just one layer and ignoring others.

However, Deploying Device Guard is no cup of tea, nor for the faint of heart. There are a number of components in its architecture and detailed processes to follow. Learning more about Device Guard is sure to present some new concepts in Windows that are worth taking the time to understand.

In this white paper, which I have co-authored with Dave Fuller, we not only give readers a greater understanding of how Device Guard works, but – much more importantly – explain how you can implement it, and develop your ‘whitelist’ of trusted applications. It’s a real must-read for anyone aiming for a secure Windows 10 for their business.


Troy Martin
Troy is a Technical Architect at 1E, which entails providing technical direction for 1E technologies, assuring their qualities in efficiently managing hardware, systems, users and other end points. Troy is well known in the Configuration Manager community as a speaker and subject matter expert. Working with some of the largest companies in the world as a consultant with 1E for 5 years, he has been involved with dozens of SCCM and Windows migrations and upgrades. Troy has been instrumental in collaborating with others at 1E to creating some of the core foundations of Software Lifecycle Automation (SLA) such as automated application rationalization and OSD mapping solution to name a couple. Many Fortune 500 companies have since benefited from SLA for their Windows migrations and are sure to take advantage of it during their ongoing migration to Windows 10.